Accounts Are Later Abandoned

A
large number of companies have been registered to handle these transfers, and
the accounts are abandoned after being used a handful of times. The names of
various port cities in Heilongjiang are used in the company names, along with
variations on the words "economic and trade," "trade" and "LTD." Since the
cities are all along the Russia-China border, the criminals can be based in
either country. The FBI did not indicate in the advisory where the thieves are
suspected to be located.
The
criminal gang also sent domestic Automated Clearing House and wire transfers to
money mules in the United States shortly after sending the unauthorized wire
transfers to China. It is unclear at this time where those funds end up.
Automated Clearing House is an electronic network that processes large volumes
of financial transactions, whether that's consumers paying mortgage and
insurance bills or businesses making direct deposit payroll and vendor
payments.

The
domestic wire transfers range from $200 to $200,000, and the ACH transfers
range from $222,500 to $1.2 million.

Most
of the affected organizations have accounts at local community banks and credit
unions, many of which use third-party service providers for online banking, said
the advisory. This makes it easier for the criminals to remain inconspicuous as
the individual wire transfers range from tens of thousands of dollars to
$985,000. The criminals are generally more successful in receiving the illegal
transfers when the sent amounts are less than $500,000, according to the FBI.
The
FBI warning seems to confirm the emerging threat that attackers are beginning
to target small and midsize companies in online fraud. In the recent Business
Banking Trust Study from Ponemon Institute and Guardian Analytics, 56 percent
of businesses reported experiencing payments fraud or attempted fraud in the
past year. In 78 percent of the cases, banks failed to stop the illegal wire
transfers, the report found.
The
FBI recommended that financial institutions notify their business customers of
any wire transfers going to the Heilongjiang port-cities, including Raohe,
Fuyuan, Jixi City, Xunke, Tongjiang and Dongning. The institutions should also
be scrutinizing all wire activity going to those cities, especially if the
customer has no prior history with that region of the world.
Several
data-stealing Trojans have been used in this type of fraud, including Zeus,
Backdoor.bot and Spybot, according to the FBI. The Zeus Trojan can steal codes
generated by multifactor authentication tokens and use them to log in to
accounts requiring usernames, password and token IDs. Backdoor.bot has a worm,
downloader and keylogger. Both Backdoor.bot and Spybot run in the background
and allow attackers to remotely access the compromised machine.